Sure. There may be some man page locations missing, from a grep:
man2/sysctl.2:.It Dv KERN_ALLOWKMEM Pq Va kern.allowkmem man3/sysctl.3:.It Dv KERN_ALLOWKMEM Pq Va kern.allowkmem man7/securelevel.7:.Va kern.allowkmem , Martin Pieuchot <[email protected]> wrote: > On 22/01/20(Wed) 14:56, Theo de Raadt wrote: > > Todd C. Miller <[email protected]> wrote: > > > > > On Wed, 22 Jan 2020 15:12:25 +0100, Martin Pieuchot wrote: > > > > > > > dt(4) is a debugging interface that allows userland to read kernel > > > > addresses. So its access should be restricted by default, just like > > > > mem(4). > > > > > > > > Diff prevent opening the pseudo-device unless `allowkmem' is set. > > > > > > Does it really make sense to reuse `allowkmem' for this? This will > > > mean that in order to use dt(4) you also have to open up mem(4). > > > I don't think that is desirable. > > > > The things you can learn via dt are a stong inspection window into > > kmem. I think it's stronger than immediately obvious. > > > > > If you want to disable dt(4) by default I think you are better off > > > using a new sysctl knob. > > > > I'm on the fence about it. But it is small, so I think allowdt is > > better. > > Sure! Diff below does that, ok? > > Index: dev/dt/dt_dev.c > =================================================================== > RCS file: /cvs/src/sys/dev/dt/dt_dev.c,v > retrieving revision 1.1 > diff -u -p -r1.1 dt_dev.c > --- dev/dt/dt_dev.c 21 Jan 2020 16:16:23 -0000 1.1 > +++ dev/dt/dt_dev.c 23 Jan 2020 08:56:00 -0000 > @@ -132,6 +132,10 @@ dtopen(dev_t dev, int flags, int mode, s > { > struct dt_softc *sc; > int unit = minor(dev); > + extern int allowdt; > + > + if (!allowdt) > + return EPERM; > > KASSERT(dtlookup(unit) == NULL); > > Index: kern/kern_sysctl.c > =================================================================== > RCS file: /cvs/src/sys/kern/kern_sysctl.c,v > retrieving revision 1.369 > diff -u -p -r1.369 kern_sysctl.c > --- kern/kern_sysctl.c 2 Jan 2020 08:52:53 -0000 1.369 > +++ kern/kern_sysctl.c 23 Jan 2020 08:54:12 -0000 > @@ -129,6 +129,7 @@ extern int audio_record_enable; > #endif > > int allowkmem; > +int allowdt; > > int sysctl_diskinit(int, struct proc *); > int sysctl_proc_args(int *, u_int, void *, size_t *, struct proc *); > @@ -358,12 +359,14 @@ kern_sysctl(int *name, u_int namelen, vo > return (EPERM); > securelevel = level; > return (0); > + case KERN_ALLOWDT: > + if (securelevel > 0) > + return (sysctl_rdint(oldp, oldlenp, newp, allowdt)); > + return (sysctl_int(oldp, oldlenp, newp, newlen, &allowdt)); > case KERN_ALLOWKMEM: > if (securelevel > 0) > - return (sysctl_rdint(oldp, oldlenp, newp, > - allowkmem)); > - return (sysctl_int(oldp, oldlenp, newp, newlen, > - &allowkmem)); > + return (sysctl_rdint(oldp, oldlenp, newp, allowkmem)); > + return (sysctl_int(oldp, oldlenp, newp, newlen, &allowkmem)); > case KERN_HOSTNAME: > error = sysctl_tstring(oldp, oldlenp, newp, newlen, > hostname, sizeof(hostname)); > Index: sys/sysctl.h > =================================================================== > RCS file: /cvs/src/sys/sys/sysctl.h,v > retrieving revision 1.199 > diff -u -p -r1.199 sysctl.h > --- sys/sysctl.h 24 Dec 2019 13:13:54 -0000 1.199 > +++ sys/sysctl.h 23 Jan 2020 08:55:26 -0000 > @@ -165,7 +165,7 @@ struct ctlname { > #define KERN_SHMINFO 62 /* struct: SysV struct shminfo > */ > #define KERN_INTRCNT 63 /* node: interrupt counters */ > #define KERN_WATCHDOG 64 /* node: watchdog */ > -/* was KERN_EMUL 65 */ > +#define KERN_ALLOWDT 65 /* int: allowdt */ > #define KERN_PROC 66 /* struct: process entries */ > #define KERN_MAXCLUSTERS 67 /* number of mclusters */ > #define KERN_EVCOUNT 68 /* node: event counters */ > @@ -257,7 +257,7 @@ struct ctlname { > { "shminfo", CTLTYPE_STRUCT }, \ > { "intrcnt", CTLTYPE_NODE }, \ > { "watchdog", CTLTYPE_NODE }, \ > - { "gap", 0 }, \ > + { "allowdt", CTLTYPE_INT }, \ > { "proc", CTLTYPE_STRUCT }, \ > { "maxclusters", CTLTYPE_INT }, \ > { "evcount", CTLTYPE_NODE }, \
